破解实战-第三站
本帖最后由 我是用户 于 2013-6-23 13:49 编辑【软件名称】: LukoolRecorder2.7.5cn
【作者邮箱】: 2714608453@qq.com
【下载地址】: 自己搜索下载
【加壳方式】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
前言:
前段时间,论坛里有放出LukoolRecorder的注册机,明码比较,我下载下来的时候,注册机已经失效,加入了网络验证,并将其破之,论坛里有最新版本的破解,我在这就说说破解的思路。
1.查壳
用PEID查壳,显示什么都没找到! *,核心扫描的结果是Microsoft Visual C++ v6.0 DLL *。
用OD载入,未显示压缩数据,无壳,不影响我们分析。
2.爆破
未注册版本的限制为录制生成的视频带有水印。
在注册框入输入注册信息,单击确定,弹出错误提示。
如图1:
bp MessageBoxA,程序断下,堆栈回溯,找到按钮事件为00459324,重新输入注册名和假码,具体分析代码如下:
00459324 > \8B55 0C mov edx,dword ptr ss: ; |
00459327 .C74424 04 270>mov dword ptr ss:,0x427 ; |
0045932F .C785 F4FEFFFF>mov dword ptr ss:,-0x1 ; |
00459339 .891424 mov dword ptr ss:,edx ; |
0045933C .E8 137A3800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459341 .8D55 D8 lea edx,dword ptr ss:
00459344 .83EC 08 sub esp,0x8
00459347 .894424 04 mov dword ptr ss:,eax
0045934B .891424 mov dword ptr ss:,edx
0045934E .E8 2DC9FEFF call LukoolRe.00445C80 ;得到注册名
00459353 .8B5D 0C mov ebx,dword ptr ss:
00459356 .C785 F4FEFFFF>mov dword ptr ss:,0x7
00459360 .83EC 04 sub esp,0x4
00459363 .C74424 04 280>mov dword ptr ss:,0x428 ; |
0045936B .891C24 mov dword ptr ss:,ebx ; |
0045936E .E8 E1793800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459373 .83EC 08 sub esp,0x8
00459376 .8D55 D4 lea edx,dword ptr ss:
00459379 .894424 04 mov dword ptr ss:,eax
0045937D .891424 mov dword ptr ss:,edx
00459380 .E8 FBC8FEFF call LukoolRe.00445C80 ;得到假码
00459385 .8B45 D8 mov eax,dword ptr ss: ;ntdll.7C930060
00459388 .83EC 04 sub esp,0x4
0045938B .C785 F4FEFFFF>mov dword ptr ss:,0x6
00459395 .890424 mov dword ptr ss:,eax
00459398 .E8 932DFDFF call LukoolRe.0042C130
0045939D .8B55 D8 mov edx,dword ptr ss: ;ntdll.7C930060
004593A0 .8B5A F4 mov ebx,dword ptr ds: ;LukoolRe.005C006E
004593A3 .85DB test ebx,ebx
004593A5 .74 0E je short LukoolRe.004593B5 ;判断注册名长度
004593A7 .8B45 D4 mov eax,dword ptr ss: ;ntdll.7C92E920
004593AA .8B48 F4 mov ecx,dword ptr ds:
004593AD .85C9 test ecx,ecx
004593AF .0F85 DB000000 jnz LukoolRe.00459490 ;判断假码长度
004593B5 >8D45 D0 lea eax,dword ptr ss:
004593B8 .C74424 08 000>mov dword ptr ss:,0x0
...省略无关代码
004594DA >8B55 D8 mov edx,dword ptr ss: ;ntdll.7C930060
004594DD .8B45 D4 mov eax,dword ptr ss: ;ntdll.7C92E920
004594E0 .C785 F4FEFFFF>mov dword ptr ss:,0x6
004594EA .891424 mov dword ptr ss:,edx
004594ED .894424 04 mov dword ptr ss:,eax
004594F1 .E8 FA88FDFF call LukoolRe.00431DF0 ;真假码比较
004594F6 .84C0 test al,al ; |
004594F8 .0F84 0C010000 je LukoolRe.0045960A ; |跳向失败
进入00431DF0可以看见真码,上一个版本,只需要做个内存注册机便可实现完美注册。
00431DF0 $55 push ebp
00431DF1 .B8 CC110000 mov eax,0x11CC
00431DF6 .89E5 mov ebp,esp
00431DF8 .57 push edi
00431DF9 .56 push esi
00431DFA .53 push ebx
...省略无关代码
00431EB1 .85DB test ebx,ebx
00431EB3 .0F85 B7020000 jnz LukoolRe.00432170
00431EB9 >8B55 D8 mov edx,dword ptr ss:
00431EBC .C785 40EEFFFF>mov dword ptr ss:,0x0
00431EC6 .83EA 0C sub edx,0xC
00431EC9 >B9 4C6D8500 mov ecx,LukoolRe.00856D4C ;出现真码
00431ECE .39D1 cmp ecx,edx
00431ED0 .0F85 D7070000 jnz LukoolRe.004326AD
00431ED6 >8B55 DC mov edx,dword ptr ss:
00431ED9 .BB 4C6D8500 mov ebx,LukoolRe.00856D4C
00431EDE .83EA 0C sub edx,0xC
00431EE1 .39D3 cmp ebx,edx
00431EE3 .0F85 93070000 jnz LukoolRe.0043267C
00431EE9 >8D85 80EEFFFF lea eax,dword ptr ss:
00431EEF .890424 mov dword ptr ss:,eax
00431EF2 .E8 A94E3A00 call LukoolRe.007D6DA0
00431EF7 .8B85 40EEFFFF mov eax,dword ptr ss:
00431EFD .8D65 F4 lea esp,dword ptr ss:
00431F00 .5B pop ebx ;02BB0A78
00431F01 .5E pop esi ;02BB0A78
00431F02 .5F pop edi ;02BB0A78
00431F03 .5D pop ebp ;02BB0A78
00431F04 .C3 retn
00431EC9处的寄存器信息如下:
EAX 00000001
ECX 77BFC2E3 msvcrt.77BFC2E3
EDX 02BB0EB0
EBX 02BB0A78
ESP 0022DEEC
EBP 0022F0C4
ESI 02BB0A85 ASCII "VTEX-YAGCD-BFZHV-TUWUU"
EDI 02BB0EBD ASCII "234567890"
EIP 00431EC9 LukoolRe.00431EC9
可见,处显示的就是所谓的真码TVTEX-YAGCD-BFZHV-TUWUU
重新输入注册名和真码,进入下一次验证。
004594FE .8B5D 0C mov ebx,dword ptr ss: ; |
00459501 .C74424 04 010>mov dword ptr ss:,0x1 ; |
00459509 .C785 F4FEFFFF>mov dword ptr ss:,0x6 ; |
00459513 .891C24 mov dword ptr ss:,ebx ; |
00459516 .E8 39783800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
0045951B .83EC 08 sub esp,0x8
0045951E .C74424 04 000>mov dword ptr ss:,0x0 ; |
00459526 .890424 mov dword ptr ss:,eax ; |
00459529 .E8 B6773800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
0045952E .83EC 08 sub esp,0x8
00459531 .C74424 04 020>mov dword ptr ss:,0x2 ; |
00459539 .891C24 mov dword ptr ss:,ebx ; |
0045953C .E8 13783800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459541 .83EC 08 sub esp,0x8
00459544 .C74424 04 000>mov dword ptr ss:,0x0 ; |
0045954C .890424 mov dword ptr ss:,eax ; |
0045954F .E8 90773800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
00459554 .83EC 08 sub esp,0x8
00459557 .C74424 04 2A0>mov dword ptr ss:,0x42A ; |
0045955F .891C24 mov dword ptr ss:,ebx ; |
00459562 .E8 ED773800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00459567 .83EC 08 sub esp,0x8
0045956A .C74424 04 050>mov dword ptr ss:,0x5 ; |
00459572 .890424 mov dword ptr ss:,eax ; |
00459575 .E8 12773800 call <jmp.&USER32.ShowWindow> ; \ShowWindow
0045957A .83EC 08 sub esp,0x8
0045957D .8D45 D8 lea eax,dword ptr ss:
00459580 .894424 04 mov dword ptr ss:,eax
00459584 .C70424 A84F1A>mov dword ptr ss:,LukoolRe.011A4FA8
0045958B .E8 00403C00 call LukoolRe.0081D590
00459590 .8D45 D4 lea eax,dword ptr ss:
00459593 .894424 04 mov dword ptr ss:,eax
00459597 .C70424 B84F1A>mov dword ptr ss:,LukoolRe.011A4FB8
0045959E .E8 ED3F3C00 call LukoolRe.0081D590
004595A3 .891D C84F1A01 mov dword ptr ds:,ebx ; ||
004595A9 .C74424 14 000>mov dword ptr ss:,0x0 ; ||
004595B1 .C74424 10 000>mov dword ptr ss:,0x0 ; ||
004595B9 .C74424 0C 000>mov dword ptr ss:,0x0 ; ||
004595C1 .C74424 08 A08>mov dword ptr ss:,LukoolRe.0045>; ||
004595C9 .C74424 04 000>mov dword ptr ss:,0x0 ; ||
004595D1 .C70424 000000>mov dword ptr ss:,0x0 ; ||
004595D8 .E8 4B733800 call <jmp.&msvcrt._beginthreadex> ; |\_beginthreadex //建立线程,进行网络验证
004595DD .8B55 08 mov edx,dword ptr ss: ; |
004595E0 .8902 mov dword ptr ds:,eax ; |
004595E2 .C74424 0C 000>mov dword ptr ss:,0x0 ; |
004595EA .C74424 08 102>mov dword ptr ss:,0x2710 ; |
004595F2 .C74424 04 010>mov dword ptr ss:,0x1 ; |
004595FA .891C24 mov dword ptr ss:,ebx ; |
004595FD .E8 4A773800 call <jmp.&USER32.SetTimer> ; \SetTimer
00459602 .83EC 10 sub esp,0x10
00459605 .^ E9 1AFEFFFF jmp LukoolRe.00459424
在004595D8处下CC断点,堆栈信息如下所示:
0022F0CC 00000000|security = NULL
0022F0D0 00000000|stksize = 0x0
0022F0D4 004587A0|start = LukoolRe.004587A0
0022F0D8 00000000|arg = NULL
0022F0DC 00000000|flags = 0
0022F0E0 00000000\pID = NULL
可知,线程函数为004587A0,下断,然后F9运行,程序断下。
004587A0/.55 push ebp
004587A1|.89E5 mov ebp,esp
004587A3|.83EC 18 sub esp,0x18
004587A6|.A1 B84F1A01 mov eax,dword ptr ds:
004587AB|.894424 04 mov dword ptr ss:,eax ;msvcrt.77C1BA52
004587AF|.A1 A84F1A01 mov eax,dword ptr ds:
004587B4|.890424 mov dword ptr ss:,eax ;msvcrt.77C1BA52
004587B7|.E8 3491FDFF call LukoolRe.004318F0 //网络验证CALL
004587BC|.C74424 0C 000>mov dword ptr ss:,0x0 ; |
004587C4|.C74424 04 000>mov dword ptr ss:,0x500 ; |
004587CC|.894424 08 mov dword ptr ss:,eax ; |msvcrt.77C1BA52
004587D0|.A1 C84F1A01 mov eax,dword ptr ds: ; |
004587D5|.890424 mov dword ptr ss:,eax ; |msvcrt.77C1BA52
004587D8|.E8 DF843800 call <jmp.&USER32.PostMessageA> ; \PostMessageA
004587DD|.83EC 10 sub esp,0x10
004587E0|.C9 leave
004587E1\.C2 0400 retn 0x4
进入004318F0处
004318F0 $55 push ebp
004318F1 .89E5 mov ebp,esp
004318F3 .57 push edi
004318F4 .56 push esi
004318F5 .53 push ebx
004318F6 .8D45 F4 lea eax,dword ptr ss:
004318F9 .83EC 7C sub esp,0x7C
004318FC .8945 C0 mov dword ptr ss:,eax
004318FF .8D45 A0 lea eax,dword ptr ss:
00431902 .890424 mov dword ptr ss:,eax
00431905 .C745 B8 B80A7>mov dword ptr ss:,LukoolRe.007>
0043190C .C745 BC FEF28>mov dword ptr ss:,LukoolRe.008>
00431913 .C745 C4 741C4>mov dword ptr ss:,LukoolRe.004>
0043191A .8965 C8 mov dword ptr ss:,esp
0043191D .E8 0E573A00 call LukoolRe.007D7030
00431922 .C745 A4 FFFFF>mov dword ptr ss:,-0x1
00431929 .E8 029FFDFF call LukoolRe.0040B830
0043192E .890424 mov dword ptr ss:,eax
00431931 .E8 CA8DFDFF call LukoolRe.0040A700
00431936 .C745 E8 586D8>mov dword ptr ss:,LukoolRe.008>
0043193D .8945 8C mov dword ptr ss:,eax
00431940 .8B80 C4000000 mov eax,dword ptr ds:
00431946 .C745 A4 04000>mov dword ptr ss:,0x4
0043194D .890424 mov dword ptr ss:,eax
00431950 .E8 DBA7FFFF call LukoolRe.0042C130
00431955 .8D4D E4 lea ecx,dword ptr ss:
00431958 .C745 E4 586D8>mov dword ptr ss:,LukoolRe.008>
0043195F .C74424 08 090>mov dword ptr ss:,0x9
00431967 .C74424 04 0E9>mov dword ptr ss:,LukoolRe.0085>;ASCII "reg_name="
0043196F .890C24 mov dword ptr ss:,ecx
00431972 .C745 A4 03000>mov dword ptr ss:,0x3
00431979 .E8 32BB3E00 call LukoolRe.0081D4B0
0043197E .8B45 08 mov eax,dword ptr ss:
00431981 .894424 04 mov dword ptr ss:,eax
00431985 .8D45 E0 lea eax,dword ptr ss:
00431988 .890424 mov dword ptr ss:,eax
0043198B .E8 50E4FFFF call LukoolRe.0042FDE0
00431990 .83EC 04 sub esp,0x4
00431993 .8D55 E0 lea edx,dword ptr ss:
00431996 .8D4D E4 lea ecx,dword ptr ss:
00431999 .895424 04 mov dword ptr ss:,edx
0043199D .890C24 mov dword ptr ss:,ecx
004319A0 .C745 A4 02000>mov dword ptr ss:,0x2
004319A7 .E8 A4B83E00 call LukoolRe.0081D250 ;加密注册名
004319AC .8B55 E0 mov edx,dword ptr ss:
004319AF .B8 4C6D8500 mov eax,LukoolRe.00856D4C
004319B4 .83EA 0C sub edx,0xC
004319B7 .39D0 cmp eax,edx
004319B9 .0F85 E4010000 jnz LukoolRe.00431BA3
004319BF >8D4D E4 lea ecx,dword ptr ss:
004319C2 .C74424 08 090>mov dword ptr ss:,0x9
004319CA .C74424 04 189>mov dword ptr ss:,LukoolRe.0085>;ASCII "®_key="
004319D2 .890C24 mov dword ptr ss:,ecx
004319D5 .C745 A4 03000>mov dword ptr ss:,0x3
004319DC .E8 7FB73E00 call LukoolRe.0081D160
004319E1 .8B45 0C mov eax,dword ptr ss:
004319E4 .894424 04 mov dword ptr ss:,eax
004319E8 .8D45 DC lea eax,dword ptr ss:
004319EB .890424 mov dword ptr ss:,eax
004319EE .E8 EDE3FFFF call LukoolRe.0042FDE0
004319F3 .83EC 04 sub esp,0x4
004319F6 .8D55 DC lea edx,dword ptr ss:
004319F9 .8D4D E4 lea ecx,dword ptr ss:
004319FC .895424 04 mov dword ptr ss:,edx
00431A00 .890C24 mov dword ptr ss:,ecx
00431A03 .C745 A4 01000>mov dword ptr ss:,0x1
00431A0A .E8 41B83E00 call LukoolRe.0081D250 ;加密真码
00431A0F .8B55 DC mov edx,dword ptr ss:
00431A12 .B8 4C6D8500 mov eax,LukoolRe.00856D4C
00431A17 .83EA 0C sub edx,0xC
00431A1A .39D0 cmp eax,edx
00431A1C .0F85 4B010000 jnz LukoolRe.00431B6D
00431A22 >8B4D 8C mov ecx,dword ptr ss: ;LukoolRe.008A1018
00431A25 .8B45 E4 mov eax,dword ptr ss:
00431A28 .8B91 C4000000 mov edx,dword ptr ds:
00431A2E .8D4D E8 lea ecx,dword ptr ss:
00431A31 .894C24 08 mov dword ptr ss:,ecx
00431A35 .894424 04 mov dword ptr ss:,eax
00431A39 .C745 A4 03000>mov dword ptr ss:,0x3
00431A40 .891424 mov dword ptr ss:,edx
00431A43 .E8 C855FFFF call LukoolRe.00427010 ;网络验证CALL
进入00427010
00427010/$55 push ebp
00427011|.89E5 mov ebp,esp
00427013|.57 push edi
00427014|.56 push esi
00427015|.53 push ebx
...省略无关代码
004270C4|.C74424 04 010>mov dword ptr ss:,0x1
004270CC|.891424 mov dword ptr ss:,edx
004270CF|.C785 94FBFFFF>mov ,0x2
004270D9|.E8 C25D2500 call <jmp.&WININET.InternetOpenA> //进入
004270DE|.83EC 14 sub esp,0x14
004270E1|.85C0 test eax,eax
004270E3|.8985 68FBFFFF mov ,eax
004270E9|.0F84 E1020000 je LukoolRe.004273D0
我虚拟机里是无网络的,所以显示网络连接错误.
如图2:
下断MesageBoxA,然后堆栈回溯,找到响应代码处为
00459210 > \8B45 0C mov eax,dword ptr ss: ; |
00459213 .C74424 04 010>mov dword ptr ss:,0x1 ; |
0045921B .C785 F4FEFFFF>mov dword ptr ss:,-0x1 ; |
00459225 .890424 mov dword ptr ss:,eax ; |
00459228 .E8 F77A3800 call <jmp.&USER32.KillTimer> ; \KillTimer //取消定时器
0045922D .8B55 08 mov edx,dword ptr ss:
00459230 .8B02 mov eax,dword ptr ds:
00459232 .83EC 08 sub esp,0x8
00459235 .85C0 test eax,eax
00459237 .^ 0F84 A9FCFFFF je LukoolRe.00458EE6
0045923D .C70424 51B485>mov dword ptr ss:,LukoolRe.0085B451 ;Activate timeout...
00459244 .E8 E72EFDFF call LukoolRe.0042C130
00459249 .8B5D 08 mov ebx,dword ptr ss: ; |
0045924C .8B03 mov eax,dword ptr ds: ; |
0045924E .C74424 04 000>mov dword ptr ss:,0x0 ; |
00459256 .890424 mov dword ptr ss:,eax ; |
00459259 .E8 A67D3800 call <jmp.&KERNEL32.TerminateThread> ; \TerminateThread //结束网络验证线程
0045925E .8B03 mov eax,dword ptr ds:
00459260 .83EC 08 sub esp,0x8
00459263 .890424 mov dword ptr ss:,eax ; |
00459266 .E8 C97C3800 call <jmp.&KERNEL32.CloseHandle> ; \CloseHandle
0045926B .8B45 0C mov eax,dword ptr ss:
0045926E .C703 00000000 mov dword ptr ds:,0x0
00459274 .83EC 04 sub esp,0x4
00459277 .C74424 08 FFF>mov dword ptr ss:,-0x1
0045927F .894424 04 mov dword ptr ss:,eax
00459283 .891C24 mov dword ptr ss:,ebx
00459286 .E8 75F6FFFF call LukoolRe.00458900 //进入,重要。
0045928B .C785 B8FEFFFF>mov dword ptr ss:,0x0
00459295 .^ E9 56FCFFFF jmp LukoolRe.00458EF0
00459228处取消定时器,00459259处结束网络验证线程,所以你会发现如果你下断了线程中InternetOpenA函数的下一句会直接跑飞,因为线程早已经被结束了。
进入00458900处
00458900/$55 push ebp
00458901|.89E5 mov ebp,esp
00458903|.57 push edi
00458904|.56 push esi ;LukoolRe.00459E40
00458905|.53 push ebx
00458906|.8D45 F4 lea eax,
00458909|.81EC 8C000000 sub esp,0x8C
0045890F|.8945 C0 mov ,eax
00458912|.8D45 A0 lea eax,
00458915|.8965 C8 mov ,esp
00458918|.890424 mov dword ptr ss:,eax
0045891B|.C745 B8 B80A7>mov ,LukoolRe.007C0AB8
00458922|.C745 BC 1CF88>mov ,LukoolRe.0084F81C
00458929|.C745 C4 BC8C4>mov ,LukoolRe.00458CBC
00458930|.E8 FBE63700 call LukoolRe.007D7030
00458935|.8B5D 0C mov ebx, ; |
00458938|.C74424 04 010>mov dword ptr ss:,0x1 ; |
00458940|.C745 A4 FFFFF>mov ,-0x1 ; |
00458947|.891C24 mov dword ptr ss:,ebx ; |
0045894A|.E8 05843800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
0045894F|.83EC 08 sub esp,0x8
00458952|.C74424 04 010>mov dword ptr ss:,0x1 ; |
0045895A|.890424 mov dword ptr ss:,eax ; |
0045895D|.E8 82833800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
00458962|.83EC 08 sub esp,0x8
00458965|.C74424 04 020>mov dword ptr ss:,0x2 ; |
0045896D|.891C24 mov dword ptr ss:,ebx ; |
00458970|.E8 DF833800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00458975|.83EC 08 sub esp,0x8
00458978|.C74424 04 010>mov dword ptr ss:,0x1 ; |
00458980|.890424 mov dword ptr ss:,eax ; |
00458983|.E8 5C833800 call <jmp.&USER32.EnableWindow> ; \EnableWindow
00458988|.83EC 08 sub esp,0x8
0045898B|.C74424 04 2A0>mov dword ptr ss:,0x42A ; |
00458993|.891C24 mov dword ptr ss:,ebx ; |
00458996|.E8 B9833800 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
0045899B|.83EC 08 sub esp,0x8
0045899E|.C74424 04 000>mov dword ptr ss:,0x0 ; |
004589A6|.890424 mov dword ptr ss:,eax ; |
004589A9|.E8 DE823800 call <jmp.&USER32.ShowWindow> ; \ShowWindow
004589AE|.8B45 10 mov eax,
004589B1|.83EC 08 sub esp,0x8
004589B4|.85C0 test eax,eax
004589B6|.0F84 8A000000 je LukoolRe.00458A46 //注册成功
004589BC|.837D 10 01 cmp ,0x1
004589C0|.0F84 AF010000 je LukoolRe.00458B75 //注册码激活次数太多
004589C6|.837D 10 FF cmp ,-0x1
004589CA|.0F84 07010000 je LukoolRe.00458AD7 //注册失败,网络连接错误
004589D0|.8D45 DC lea eax,
004589D3|.890424 mov dword ptr ss:,eax
004589D6|.C74424 08 000>mov dword ptr ss:,0x0
004589DE|.C74424 04 9B0>mov dword ptr ss:,0x9B
004589E6|.C745 A4 FFFFF>mov ,-0x1
004589ED|.E8 0ED1FEFF call LukoolRe.00445B00
004589F2|.8B45 DC mov eax,
004589F5|.8B5D 0C mov ebx,
004589F8|.C745 A4 01000>mov ,0x1
004589FF|.8945 9C mov ,eax
00458A02|.83EC 04 sub esp,0x4
00458A05|.894424 0C mov dword ptr ss:,eax
00458A09|.C74424 08 000>mov dword ptr ss:,0x0
00458A11|.C74424 04 000>mov dword ptr ss:,0x0
00458A19|.891C24 mov dword ptr ss:,ebx
00458A1C|.E8 DFD3FEFF call LukoolRe.00445E00
00458A21|.8B55 9C mov edx, ;USER32.77D2C228
00458A24|.83EA 0C sub edx,0xC
00458A27|.81FA 4C6D8500 cmp edx,LukoolRe.00856D4C
00458A2D|.0F85 E0010000 jnz LukoolRe.00458C13
00458A33|>8D45 A0 lea eax,
00458A36|.890424 mov dword ptr ss:,eax
00458A39|.E8 62E33700 call LukoolRe.007D6DA0
00458A3E|.8D65 F4 lea esp,
00458A41|.5B pop ebx ;LukoolRe.0045928B
00458A42|.5E pop esi ;LukoolRe.0045928B
00458A43|.5F pop edi ;LukoolRe.0045928B
00458A44|.5D pop ebp ;LukoolRe.0045928B
00458A45|.C3 retn
00458A46|>A1 B84F1A01 mov eax,dword ptr ds:
00458A4B|.894424 04 mov dword ptr ss:,eax
00458A4F|.A1 A84F1A01 mov eax,dword ptr ds:
00458A54|.890424 mov dword ptr ss:,eax
00458A57|.E8 94A2FDFF call LukoolRe.00432CF0 ;存入user.dat
00458A5C|.8D45 E8 lea eax,
00458A5F|.890424 mov dword ptr ss:,eax
00458A62|.C74424 08 000>mov dword ptr ss:,0x0
00458A6A|.C74424 04 970>mov dword ptr ss:,0x97
00458A72|.E8 89D0FEFF call LukoolRe.00445B00
00458A77|.8B45 E8 mov eax, ;UxTheme.5ADF1688
我们将004589B6处改为jmp,即可实现注册,注册后注册名和真码保存在C:\Documents and Settings\Administrator\Application Data\LukoolRecorder\user.dat中。
如图3所示:
很明显这是个重启验证,但是我们重启后,软件显示已注册,注册按钮已消失,录像也无水印.
如图4所示:
这说明我们的真码是没有错的,网络验证只是在写入注册信息中下了个坎,所以我们只需自己自己在C:\Documents and Settings\Administrator\Application Data\LukoolRecorder\user.dat中写入注册信息即可。不过注册信息是通过加密的,
有兴趣的朋友可以跟一下,自己构照自己信息,不难。
现在我们从源头上去爆破他,右键搜索字符串,找到user.dat,然后右键跟随。堆栈回溯,慢慢找,代码比较长,要有耐心,我这里就不贴完整的代码了
00432222 .8B7D D8 mov edi,dword ptr ss:
00432225 .FC cld
00432226 .39C9 cmp ecx,ecx
00432228 .F3:A6 repe cmps byte ptr es:,byte ptr ds:>;真码比较
0043222A .75 0C jnz short LukoolRe.00432238
0043222C .399D 74EEFFFF cmp dword ptr ss:,ebx ;真码长度比较
00432232 .0F84 FB030000 je LukoolRe.00432633 //跳向成功
00432238 >C785 40EEFFFF>mov dword ptr ss:,0x0
00432242 >BA 4C6D8500 mov edx,LukoolRe.00856D4C
00432247 .3B95 78EEFFFF cmp edx,dword ptr ss:
0043224D .0F85 D5040000 jnz LukoolRe.00432728
00432253 >8B55 D8 mov edx,dword ptr ss:
00432256 .83EA 0C sub edx,0xC
...省略代码
00432633 > \8D45 DC lea eax,dword ptr ss:
00432636 .894424 04 mov dword ptr ss:,eax
0043263A .C70424 38281A>mov dword ptr ss:,LukoolRe.011A2838
00432641 .C785 84EEFFFF>mov dword ptr ss:,0x5
0043264B .E8 40AF3E00 call LukoolRe.0081D590
00432650 .C785 40EEFFFF>mov dword ptr ss:,0x1 ;标志位
标志位赋值有以下几种情况:
user.dat未存在:
00432159 C785 40EEFFFF>mov dword ptr ss:,0x0
user.dat存在
00432650 .C785 40EEFFFF>mov dword ptr ss:,0x1真码正确
00432238 > \C785 40EEFFFF>mov dword ptr ss:,0x0假码错误
未知:
00432173 .C785 40EEFFFF>mov dword ptr ss:,0x0
00431EBC .C785 40EEFFFF>mov dword ptr ss:,0x0
我们将0x0都改为0x1,不管是什么情况,我们都能注册成功。
测试过的系统:win7 64bit ,XP 32 bit。
=================================================================
传送门:
破解实战-第一战:http://www.52pojie.cn/thread-197281-1-1.html
破解实战-第二战:http://www.52pojie.cn/thread-197598-1-1.html
破解实战-第三站:http://www.52pojie.cn/thread-197957-1-1.html
破解实战-第四站:http://www.52pojie.cn/thread-198203-1-1.html
破解实战-第五战:http://www.52pojie.cn/thread-198365-1-1.html
破解实战-第六战:http://www.52pojie.cn/thread-198930-1-1.html
破解实战-第七战:http://www.52pojie.cn/thread-199459-1-1.html
破解实战-第八战:http://www.52pojie.cn/thread-199834-1-1.html
破解实战-第九战:http://www.52pojie.cn/thread-200655-1-1.html
破解实战-第十战:http://www.52pojie.cn/thread-200798-1-1.html
谢谢啦,写的很详细,正好拿来看看 表示楼主的教程虽然写得好,但一般的初学者,看不懂 堆栈回溯过程太艰辛了,弄不好就飞的那是那都不知道了{:1_907:} 终于明白“要有耐心”是多么的重要{:1_937:}爆破实在跟不到那几个标志位~
感谢楼主的教程~ 搞了文字版破解,也希望搞下视频版破解,让我们学习下,支持很不错 学习一下,比较乱的说 好多地方不明白啊……堆栈回溯是什么意思啊?
怎么弄? 感谢楼主发布这么好的教程,学习了 感谢大大分享教程,可是只怪小菜太笨,还是看不懂!所以恳请大大再些详细一点!比如“bp MessageBoxA,程序断下,堆栈回溯,找到按钮事件为00459324”这里,bp MessageBoxA断下后就不知道具体怎么做了,在这里能给小菜再做做堆栈回溯的并找到按钮事件的过程就更好了!顶大大!支持大大!希望大大能出更好的教程!顶起来! 强大支持支持支持支持支持支持支持支持支持 先收藏了再慢慢研究,感谢楼主,论坛有你更精彩